EnGarde Secure Linux Security Advisory: Pine, LIDS, and sudo
Jan 15, 2002, 05:31 (0 Talkback[s])
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory January 14, 2002 |
| http://www.engardelinux.org/ ESA-20020114-003 |
| |
| Packages: kernel / lids-base |
| Summary: There are several local vulnerabilities in the LIDS system. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
Recently there were several local vulnerabilities discovered in the LIDS
system used by EnGarde Secure Linux which could allow an attacker to
gain root, and even disable LIDS completely.
DETAIL
- ------
Stealth of TESO recently discovered several vulnerabilities in the LIDS
(Linux Intrusion Detection System). The following is an outline of
these bugs:
1) Using the LD_PRELOAD environment variable (and potentially other
LD_ variables), an attacker can make programs granted specific
capabilities "leak" them to unprivileged processes. For example,
if there is a program granted CAP_SETUID then an attacker can gain
root.
2) An attacker, who has already gained root, could write directly to
the LIDS data structures in kernel memory (using /dev/kem) and
effectively disable LIDS.
3) Philippe Biondi of the LIDS team also discovered that programs
launched before LIDS is sealed keep full capabilities after the
sealing takes place. This allows a window of opportunity for an
attacker to leverage the CAP_SYSRAWIO or CAPSYS_MODULE
capabilities.
All known LIDS bugs are fixed with this release. In addition to new
kernel packages, there are new 'lids-base' packages with an updated LIDS
configuration to accommodate the kernel changes. All users are
recommended to upgrade immediately, following the special SOLUTION
outlined in this advisory.
SOLUTION
- --------
This information applies only to EnGarde Secure Linux Community edition
users. Registered users of the EnGarde Secure Linux Professional
edition can use the Guardian Digital Secure Network to upgrade their
packages automatically.
All users should upgrade to the most recent version as outlined in
this advisory. All updates may be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Please read and understand this entire section before you attempt to
upgrade the kernel.
Initial Steps
-------------
1) Verify the machine is either:
a) booted into a "standard" kernel; or
b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)
2) Determine which kernels you currently have installed:
# rpm -qa --qf "%{NAME}.%{ARCH}\n" | grep kernel
3) Download the new kernels that match what you have installed
(based on step 2) from the "UPDATED PACKAGES" section of this
advisory.
Installation Steps
------------------
4) Install the new kernel and lids-base packages. Because of version
dependencies, you MUST install both the updated kernel packages and
the new lids-base package at the same time. The kernel packages
will automagically update /etc/lilo.conf by commenting out any old
EnGarde images and replacing them with the new ones:
# rpm --replacefiles -i <kernel 1> <kernel 2> ... <lids-base>
5) The new lids-base package will automatically update your LIDS
configuration to work with the new kernels. You must now re-run
LILO by hand. If you see any errors then open /etc/lilo.conf in
your favorite text editor and make the appropriate changes:
# /sbin/lilo
Final Steps
-----------
6) If you did not see any LILO errors then your new kernel is now
installed and your machine is ready to be rebooted:
# reboot
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/kernel-2.2.19-1.0.24.src.rpm
MD5 Sum: 18e6a28e9b97b70e4d47693a14d5bc5d
SRPMS/lids-base-0.9.15-1.0.27.src.rpm
MD5 Sum: 06e4e37f90072cc02ee57ef8bc342c16
Binary Packages:
i386/kernel-2.2.19-1.0.24.i386.rpm
MD5 Sum: e81ed6ebea8cbbd48436dd4dca77f12b
i386/kernel-lids-mods-2.2.19-1.0.24.i386.rpm
MD5 Sum: 5d05f9f9bf4c18b50cb6d5bffde09218
i386/kernel-smp-lids-mods-2.2.19-1.0.24.i386.rpm
MD5 Sum: 8bece6223cd528772e12cfab1599625b
i386/kernel-smp-mods-2.2.19-1.0.24.i386.rpm
MD5 Sum: a609eae6b7505f2827ca13611dcfa5af
i686/kernel-2.2.19-1.0.24.i686.rpm
MD5 Sum: de36286c504b2593814ff61505afc4fc
i686/kernel-lids-mods-2.2.19-1.0.24.i686.rpm
MD5 Sum: b4c1232d4f77dfb7375d842659387116
i686/kernel-smp-lids-mods-2.2.19-1.0.24.i686.rpm
MD5 Sum: 4a719fcf119a553d11807c2d8a0c0b45
i686/kernel-smp-mods-2.2.19-1.0.24.i686.rpm
MD5 Sum: 7d3c6094a8c1ac1e8797c04b64ad746c
i386/lids-base-0.9.15-1.0.26.i386.rpm
MD5 Sum: 698cb992aa428eec3e38c220043792d7
i686/lids-base-0.9.15-1.0.26.i686.rpm
MD5 Sum: 337b68513574355c4c120b11b79b8726
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
The LIDS Advisory Published by TESO:
http://www.team-teso.org/advisories/teso-advisory-012.txt
Credit for the discovery of these bugs goes to:
Stealth <stealth@team-teso.net>
Philippe Biondi <pbi@cartel-info.fr>
LIDS' Official Web Site:
http://www.lids.org/
Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20020114-003-lids,v 1.2 2002/01/14 21:36:46 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.
<hr>
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory January 14, 2002 |
| http://www.engardelinux.org/ ESA-20020114-002 |
| |
| Package: pine |
| Summary: 'pine' URL handling vulnerability |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There is a vulnerability in pine which can allow an attacker to execute
arbitrary commands on a victims machine by sending them a specially-
crafted URL which is then mishandled by pine's URL handling code.
DETAIL
- ------
zen-parse has found a URL handling vulnerability, much like the recent
xchat vulnerability (http://www.securityfocus.com/bid/1601), in the pine
mail and news reader. By sending a victim a URL of the form:
http://address/'&/some/program${IFS}with${IFS}arguments&'
(where ' is the backtick character)
an attacker can execute '/some/program with arguments' on the victims
machine. If the victim is reading his mail as root (which is
obviously not recommended) then this can lead to a root compromise.
SOLUTION
- --------
This information applies only to EnGarde Secure Linux Community edition
users. Registered users of the EnGarde Secure Linux Professional
edition can use the Guardian Digital Secure Network to upgrade their
packages automatically.
All users should upgrade to the most recent version as outlined in
this advisory. All updates may be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
You must now update the LIDS configuration by executing the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signatures of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/pine-4.33-1.0.6.src.rpm
MD5 Sum: 7a6653d8814945edee9ab544afb696bc
Binary Packages:
i386/pine-4.33-1.0.6.i386.rpm
MD5 Sum: 4b1d60e1e7ccb3a8a511db42877f0b15
i686/pine-4.33-1.0.6.i686.rpm
MD5 Sum: 995ed060b84adb05b5b274d353becd91
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
zen-parse <zen-parse@gmx.net>
pine's Official Web Site:
http://www.washington.edu/pine/
Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20020114-002-pine,v 1.2 2002/01/14 18:20:07 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.
<hr>
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory January 14, 2002 |
| http://www.engardelinux.org/ ESA-20020114-001 |
| |
| Package: sudo |
| Summary: sudo can invoke the system MTA as root. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There is a vulnerability in sudo which can allow an attacker to trick
sudo into running the system MTA with root privileges and an unclean
environment, possibly leading to a root compromise.
DETAIL
- ------
Sebastian Krahmer of the SuSE Security Team found a bug in sudo which
can allow an attacker to send a failed-invocation email with root
privileges and an unclean environment. Using the Postfix MTA an
attacker can potentially gain a root shell. No other MTA is known to be
exploitable at this time.
We would like to reiterate that the bug is in sudo, not Postfix which is
simply being used as a vehicle in this instance.
This bug is fixed by having sudo run the MTA with user privileges
instead of with root privileges.
SOLUTION
- --------
This information applies only to EnGarde Secure Linux Community edition
users. Registered users of the EnGarde Secure Linux Professional
edition can use the Guardian Digital Secure Network to upgrade their
packages automatically.
All users should upgrade to the most recent version as outlined in
this advisory. All updates may be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
You must now update the LIDS configuration by executing the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signatures of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/sudo-1.6.4-1.0.6.src.rpm
MD5 Sum: bf14204686a62f01b429eb28d83cfd6b
Binary Packages:
i386/sudo-1.6.4-1.0.6.i386.rpm
MD5 Sum: 83fceade44a6d263647653351c2acade
i686/sudo-1.6.4-1.0.6.i686.rpm
MD5 Sum: 8b8c9344cbc950cd9fd4f2fc1c3136f8
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Sebastian Krahmer <krahmer@suse.de>
sudo's Official Web Site:
http://www.sudo.ws/sudo/
Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20020114-001-sudo,v 1.1 2002/01/14 17:36:06 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.
